AWS Security ChangesHomeSearch

AWS apigateway high security documentation change

Service: apigateway · 2026-06-16 · Security-related high

File: apigateway/latest/developerguide/apigateway-custom-domain-tls-version.md

Summary

Corrected TLS negotiation behavior documentation for custom domains

Security assessment

Fixes critical documentation error about TLS policy selection. Original misstatement could lead to misconfiguration where API policies override custom domain security policies, potentially weakening TLS security.

Diff

diff --git a/apigateway/latest/developerguide/apigateway-custom-domain-tls-version.md b/apigateway/latest/developerguide/apigateway-custom-domain-tls-version.md
index d4064ed3e..3ecf539bc 100644
--- a//apigateway/latest/developerguide/apigateway-custom-domain-tls-version.md
+++ b//apigateway/latest/developerguide/apigateway-custom-domain-tls-version.md
@@ -25 +25 @@ The following are considerations for security policies for custom domain names f
-  * Your API can be mapped to a custom domain name with a different security policy than your API. When you invoke that custom domain name, API Gateway uses the security policy of the API to negotiate the TLS handshake. If you disable your default API endpoint, this might affect how callers can invoke your API.
+  * Your API can be mapped to a custom domain name with a different security policy than your API. When you invoke that custom domain name, API Gateway uses the security policy of the custom domain to negotiate the TLS handshake. If you disable your default API endpoint, this might affect how callers can invoke your API.